Exam 14: IT Security Management and Risk Assessment

_________ is choosing to accept a risk level greater than normal for business reasons.

A(n) _________ is a weakness in an asset or group of assets that can be exploited by one or more threats.

The term ________ refers to a document that details not only the overall security objectives and strategies, but also procedural policies that define acceptable behavior, expected practices, and responsibilities.

The __________ approach to risk assessment aims to implement a basic general level of security controls on systems using baseline documents, codes of practice, and industry best practice.

The _________ approach combines elements of the baseline, informal, and detailed risk analysis approaches.

Because the responsibility for IT security is shared across theorganization, there is a risk of inconsistent implementation of security and a loss of central monitoring and control.

A(n) _________ is anything that has value to the organization.

__________ ensures that critical assets are sufficiently protected in a cost-effective manner.

_________ is a process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity, and reliability.

Establishing security policy, objectives, processes and procedures is part of the ______ step.

The assignment of responsibilities relating to the management of ITsecurity and the organizational infrastructure is not addressed in acorporate security policy.

A threat may be either natural or human made and may be accidentalor deliberate.

A ________ is anything that might hinder or present an asset from providing appropriate levels of the key security services.

ISO details a model process for managing information security that comprises the following steps: plan, do, ________, and act.

The four approaches to identifying and mitigating risks to an organization's IT infrastructure are: baseline approach, detailed risk analysis, combined approach, and __________ approach.

Implementing the risk treatment plan is part of the ______ step.

Not proceeding with the activity or system that creates the risk is _________.

The _________ approach involves conducting a risk analysis for the organization's IT systems that exploits the knowledge and expertise of the individuals performing the analysis.

_________ include management, operational, and technical processes and procedures that act to reduce the exposure of the organization to some risks by reducing the ability of a threat source to exploit some vulnerabilities.

Legal and regulatory constraints may require specific approaches torisk assessment.